10.4:documentation:accounts:adm:accounts

Account Management

Basic account management is used for all entities that support provisioning. Identities utilise more complex account management, relying on roles assignments.

If an entity supports basic account management, then the method ProvisioningService.accountManagement is executed when the entity has been created/updated.

Provisioning ensures the following:

  1. Finds all systems with the provisioning mapping for this entity type.
  2. Generates the account identifier uid for this entity.
  3. For all found systems, checks whether or not an account with the same uid already exists. If so, then this method comes to an end.
  4. For all found systems, checks if the mapping includes the script 'Can an account be created?'. If this script is filled, it is executed. If the script returns Boolean.FALSE, then an account on this system is not created (this method comes to an end).
  5. Account on the system is created (AccAccount).
  6. A relation between the created account and the entity is created, too.
Basic account management does not provide delete of accounts for now. It only allows their creation.

Account management is carried out when triggered by events that impact accounts on the end system. These events may include:

  • creation/modification/deletion of an identity.
  • creating/modifying/deleting the assigned role to a given identity.
  • creating/modifying the definition of mapping the attributes for a role.
Identity account management uses the script 'Can an account be created?', too.

By default, if there is a contract that is valid in the future, and you assign a role to this contract (assigning a system), this assigned role is then discarded (not currently valid) during account management. That is, no accounts are created on end systems. This behavior constitutes the default and correct result.

In some cases, however, you need to create an account on an end system before a respective contract becomes valid (for example, when a new employee is expected to arrive). As a solution to this requirement, you can use forward identity account management.

This can be activated by ticking the checkbox 'Forward account management' on the detail of mapping system to a role. If checked, then an account on this system is created even though the assignment of this role to the user will not be valid until some time in the future.